• In April of 2025, my colleague Mat Powell was hunting for vulnerabilities in Autodesk Revit 2025. • While fuzzing RFA files, he found the following crash (CVE-2025-5037 / ZDI-CAN-26922, addressed by Autodesk in July 2025): Is this an exploitable crash? • From the debugger output crash point as seen above, unclear whether anything is controllable. • At around this time, my colleague Nitesh Surana uncovered a highly impactful cloud-based supply chain vulnerability in Axis Communications Plugin for Autodesk Revit. • This vulnerability made it possible for a malicious actor to force the distribution of corrupted RFA files to Axis plugin users globally, which Autodesk Revit would parse upon use of the Axis Communications plugin. • Refer to the blog post here for a full discussion of his research.
Article Summaries:
- In April 2025, researchers discovered a crash in Autodesk Revit 2025’s RFA file parser (CVE‑2025‑5037). Using fuzzing and time‑travel debugging, they traced the fault to a deserializer that could be manipulated to trigger a remote‑code‑execution (RCE) via return‑oriented programming. A concurrent supply‑chain flaw in Axis Communications’ Revit plugin allowed attackers to push corrupted RFA files to users worldwide, amplifying the risk. Autodesk issued a patch in July 2025. The findings underscore the severity of both the core application vulnerability and the plugin’s supply‑chain weakness, prompting heightened scrutiny of third‑party extensions.
Sources: